Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #178

Re: Security breach?

Newsgroups comp.os.linux.security
Subject Re: Security breach?
From Ohmster <root@dev.nul>
References <XnsA145508078CBMyBigKitty@216.196.97.131> <slrnkevaie.4qm.BitTwister@wb.home.test> <i1OHs.32904$3S5.11697@newsfe18.iad> <XnsA1452A741B196MyBigKitty@216.196.97.131> <slrnkevu1b.sfk.BitTwister@wb.home.test>
Organization Ohm's Fish Market
Message-ID <XnsA145ABD95DD64MyBigKitty@216.196.97.131> (permalink)
Date 2013-01-11 15:53 -0600

Show all headers | View raw

Bit Twister <BitTwister@mouse-potato.com> wrote in
news:slrnkevu1b.sfk.BitTwister@wb.home.test: 

> On Fri, 11 Jan 2013 03:10:37 -0600, Ohmster wrote:
> 
> Going to merge in stuff from upline posts.
> 
> Before I forget it again, you need to create a police report to help
> cover your @$$.

No financial loss. Contacted ebay seller of silver coins, cancelled the 
transaction, no items shipped. The seller was good about it, they also 
have had their PC rooted and they sell a LOT of silver and coins.
 
>> ...sigh. I noticed a few days ago that the Firefox browser was open
>> to craigslist and it was a post to my acount for a ridiculous suv for
>> sale with all kinds of spam words in it, so many it would violate
>> CL's TOS. 
> 
> So your telling us you have been cracked for a few days.  :-(
 
Well yeah, although I did not know it for sure until now. I woke up a few 
days ago, found my Linux machine on, Firefox opened to craigslist, and an 
ad for an suv posted that was chock full of spam words was posted. Made 
no sense so I did nothing. Next day got an email from craigslist telling 
me "my ad" violated TOS and would be cancelled.

>> Selinux is too restrictive, by the time I figure it out I would be
>> dead so I disabled it all this time.
> 
> If you had selinux disabled then you helped the cracker to get into
> the box. 

Well, with selinux enabled, *nothing* works anymore. Not samba, ssh may 
have issues, httpd, ftpd, everything is broken and is a major hassle to 
get working again, if it is possible at all. Now I am sure that the 
people who wrote selinux did not mean to disable the entire daemon system 
and there must be some, clear documentation on how to make it work, but I 
cannot find it. No GUI or easy to understand docs that I can find. 
Pointers?

>> Gotta be a rootkit or something.
> 
> And there lies the rub. There is no telling what is installed unless 
> you take the drive to another system and really dig into it.
> This assumes you know what you are doing and do not infect the new
> system. 

I would have to wipe and reinstall this system and I do not want to 
reinfect it. However, I have many config files that I will need, not to 
mention the public_html directory is something I use all the time.

>> Bit Twister <BitTwister@mouse-potato.com> wrote in
>> news:slrnkevaie.4qm.BitTwister@wb.home.test: 
>>
>> Yeah well that did not seem to help, still in my box, having a field
>> day with the brower and stored passwords.
> 
> Yep, I never store passwords in the browser.
> Hell, I have a separate Linux account for surfing, credit card,
> bank,... Except for bank, .bash_logout wipes and tars in a pristine
> setup. 

Good tip. So much for that idea. Since I hardly ever use the Linux 
desktop on a 2Ghz Pentium w/1,5 Gb DDR RAM because it is very slow, it 
makes no sense to store passwords on it. Not to mention compiz, which I 
think is quite cool, but overall, performance, even with an nvidia card, 
leaves much to be desired.

> I even have separate Linux accounts for each email account.
> Can not use the tar/wipe/restore there.

I have enabled mail in previous installs of Fedora, the whole thing was 
no good, my IP was blocked every step of the way for being a cable IP 
block. So much for mail server. I did use my ISP, Comcast as the mail 
agent, but this too was a disastor. They just do not want individuals 
running mail servers and I do understand why. Spam boxes were built and 
sold for this very reason and are totally banned.

>>> Going to guess no firewall and/or lack/missing security updates of
>>> plugins and/or applications used via the web.
>>
>> Not at all. I have the firewall running and use the updater applet
>> all the time. And I use yum to update the system constantly.
> 
> That means you have whatever updates supplied by your distro.
> Not necessarily the latest.

Of course. I run MintOS to be able to use the rpm files that my package 
manager will understand, install, and keep track of. I cannot just "jet 
off to kernel.org" and install the latest bleeding edge kernel from a 
tarball and maintain system stability. But MintOS updates are quite 
frequent, the come several times a month.

>>> Had you been running something like
>>> http://sourceforge.net/projects/aide
>>> and running something like http://rkhunter.sourceforge.net
>>> 
>>> You might have had a chance, maybe.
>>
>> No. Never heard of it until now. You think it can help, even after
>> the fact? Oh this looks awesome, Bit!
> 
> Aide would be useless at this point.
> rkhunter might work but you have to connect to
> get a download of the database so doing that on the infected system
> is just asking for trouble.

I read up a little on rkhunter and it seems to take the tripwire 
approach, meaning I would initially need a clean system to install it on, 
not much good once system is infected.

> Moving the drive to another system an running rkhunter might turn
> something up but I would not count on it.

I do not think it would help, but it would be a very wise thing to do 
after installing clean.

[..]
>> Wow! Really? Logwatch did show tampered or altered system files but I
>> fail to see how this one file can do anything bad.
> 
> You are missing the point. Malware puts hooks in to catch anything 
> relating to its activity and put it in the bit bucket.
> 
> In your case not everything is being caught.

Sad.

>> Hm, never thought of that. Must I use another Linux box or can I use
>> my Windows 7 machine that I can ssh to?
> 
> Oh, My God. Hell, you might have be cracked through that machine if it
> is on the same network.

Yes it is on the same LAN but I doubt it was cracked through the Windows 
7 machine which is up to date with Avast installed and updated. This 
machine never connects to Linux but for samba when I want and ssh w/PuTTY 
when I need it. The MintOS machine itself is online, 24/7, with FQDN and 
httpd, ftpd, sshd, and everything else. It is a wide open target all by 
itself.

>> Yes it is offline and shut down. I want to power it up but must pull
>> the Ethernet cable until I can disable the Internet on this box.
>> Sysconfig, NETWORKING - NO?
>> What do you think?
> 
> You have to pull the network cable unless you want to purchase
> something else on craigslist or ebay.  :-(
> 
> Hope you got the delivery address for what was bought. It looks real
> good in the police report.

You think the machine will power itself back on, all by itself or by 
remote command when it is not even turned on? I would sure like to see 
that! But I will pull the cable if you think it prudent. I do want to be 
able to power it up and recsue my files though, and I would like to be 
able to do it with LAN access, if at all possible. How to do it? Pull 
cablemodem plug and run on LAN only while getting files or can I block 
just the Linux machine from Internet while running it?

Ebay silver coin purchase was cancelled by me this afternoon. I called 
the seller in Montana and spoke to her about it. She sells a LOT of 
silver so she herself has been rooted and understands what happens. She 
was gracious and sent me a cancellation form. Nothing purchased on 
craigslist. A police report with nothing stolen other than peace of mind 
would not go over well with BSO in my county. :P

>> Tell me more BT. Thanks! 
> 
> If the choice is between win7 and the infected box and you want to
> root around, then all I can suggest is get a new drive, unplug
> infected drive(s), clean install, + updates, + aide, + rkhunter, tell
> fstab about infected drive(s) set to not automount with read only.
> 
> Power down, connected infected drive and start looking through the
> drive. 

Oh my, that would be rough.

> Other solution is to use a live cd but that is going to be a bit slow.
> If someone comes after you with legal paper, you better have
> unmodified drive(s) showing you were cracked and have a copy of your
> police report. 

Yes, I thought about a live CD, there are several good ones out there, 
but as you say, it would be slow.

> I would be very surprised if you find/figure out how you were cracked.
> Saw an article about some malware on an infected web site would create
> a tunnel back to cracker.  :(

Last time I got rooted or hacked, it was in the apache logs, some script 
kiddy used a buffer overflow exploit and got in. Since Redhat 9 was EOL 
for 2 years, I guess I had it coming.

> Any internet content, flash, pdf, gif, MP3, WMA, WMV, MP2,..., might
> contain malware.

...really. Oh this really bits. Any way to scan files for malware in 
Linux?

> Poisoned cookies, bookmarks, dns cache,... are another vector.
> Not to mention infected websites cracking your router from the LAN
> side. 
> 
> If it were me, I would put the drive(s) in the closet and hope nothing
> else happens.

Made your point. The system is trashed. I don't have exta money for a new 
hard drive right now, but formatting this one should totally rid it of 
malware and with a clean install, be okay. I must copy important files to 
a separate hard drive and have two of them in the Linux machine. Then I 
can mount them and access my stuff when I need it.

Thanks Bit. Man, you have been at the help desk like, forever dude! When 
do you get your gold watch? I will pitch in if everyone else will. :)

-- 
~Ohmster

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Security breach? Ohmster <root@dev.nul> - 2013-01-10 23:29 -0600
  Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-11 05:59 +0000
    Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 06:10 +0000
      Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:45 -0600
        Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 20:44 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:06 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 22:26 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:45 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:24 +0000
              Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 19:34 -0600
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 02:16 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 21:04 -0600
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 05:44 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:29 -0600
                Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-13 03:01 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 07:24 -0500
                Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-13 14:51 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 10:45 -0500
                Re: Security breach? Jim Beard <jdbeard@patriot.net> - 2013-01-13 12:21 -0500
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 12:59 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 20:40 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 16:14 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 23:51 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-14 09:59 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-14 17:39 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-14 16:16 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-14 21:48 +0000
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 20:35 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:05 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:26 +0000
      Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 03:10 -0600
        Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-11 11:31 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:53 -0600
            Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:05 +0100
              Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 22:14 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:47 -0600
                Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-12 00:26 +0000
                Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-12 09:23 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:31 -0600
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:36 -0600
                Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-13 14:45 +0100
              Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:39 -0600
            Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-12 00:08 +0000
        Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 20:50 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:19 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 22:30 +0000
              Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:49 -0600
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:36 -0600
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:52 -0600
  Re: Security breach? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-01-11 03:10 -0500
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:39 -0600
  Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 10:53 +0000
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:12 -0600
      Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 22:53 +0100
        Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:57 -0600
          Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:29 +0100
            Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:55 -0600
              Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:59 +0100
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:07 -0600
                Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-12 00:24 +0100
                Re: Security breach? `blindshell' ...INFECTED (PORTS: 465) Ohmster <root@dev.nul> - 2013-01-11 17:48 -0600
                Re: Security breach? `blindshell' ...INFECTED (PORTS: 465) Ohmster <root@dev.nul> - 2013-01-11 18:07 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:16 +0000
              Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-12 12:13 +0100
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 18:30 +0000
      Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 22:07 +0000
        Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:22 -0600

csiph-web